Generally, you are required to protect personal information
stored on your website's server by implementing reasonable
and appropriate data security measures. If you fail
regarding this general requirement, you will be subject to
claims from website visitors whose information has been
compromised.
In addition, the Federal Trade Commission (FTC) continues
to aggressively file suits for security violations under
Section 5 of the FTC Act which prohibits unfair or
deceptive practices.
A good example is the enforcement action brought by the FTC
against LifeIsGood.com for failure to implement reasonable
and appropriate data security measures. This case is
significant because the FTC expects all sites to follow
guidelines provided in the settlement of the case.
Lifeisgood.com's Privacy Statement
Life Is Good collected sensitive consumer information,
including names, addresses, credit card numbers, credit
card expiration dates, and credit card security codes
through its website. Its privacy policy claimed: "We are
committed to maintaining our customers' privacy. We collect
and store information you share with us - name, address,
credit card and phone numbers along with information about
products and services you request. All information is kept
in a secure file and is used to tailor our communications
with you."
The FTC Claims
The FTC alleged that, contrary to its privacy policy, Life
Is Good failed to provide reasonable and appropriate
security for the sensitive consumer information stored on
its computer network.
Specifically, the FTC alleged that Life Is Good:
1. unnecessarily risked credit card information by storing
it indefinitely in clear, readable text on its network, and
by storing credit card security codes;
2. failed to assess adequately the vulnerability of its
Web site and corporate computer network to commonly known
and reasonably foreseeable attacks, such as SQL injection
attacks;
3. failed to implement simple, free or low-cost, and
readily available security defenses to SQL and similar
attacks;
4. failed to use readily available security measures to
monitor and control connections from the network to the
Internet; and
5. failed to employ reasonable measures to detect
unauthorized access to credit card information. The
Settlement
In its settlement with the FTC announced in a press release
dated January 17, 2008, Life Is Good agreed to implement
the following 5 administrative, technical, and physical
safeguards in the future. These 5 safeguards are 5
excellent tips -- delivered straight from the FTC -- that
you should also follow:
1. Designate an employee or employees to coordinate the
information security program.
2. Identify internal and external risks to the security
and confidentiality of personal information and assess the
safeguards already in place.
3. Design and implement safeguards to control the risks
identified in the risk assessment and monitor their
effectiveness.
4. Develop reasonable steps to select and oversee service
providers that handle the personal information of customers.
5. Evaluate and adjust its information-security program to
reflect the results of monitoring any material changes to
the company's operations, or other circumstances that may
impact the effectiveness of its security program.
Conclusion
Sometimes form is as important as substance. What I mean is
how you do something, and the fact that you documented it
at the time you actually did it, is sometimes just as
important as the fact that you did it.
The settlement safeguards in the Life Is Good case are a
prime example. Simply having what you believe is a good
data security program is one thing, but being able to
document that you went through the steps outlined by the
FTC is another.
The Life Is Good case points the way to what will work for
data security. So, it's highly recommended that you set up
a filing system that preserves your documentation and
indicates you went through these steps, and when you did
it. Then set up a tickler to remind you to go through the
steps on an annual basis.
We know that there is no data security program that is 100%
safe from illegal intrusions. If you have an unfortunate
data security breach, it's likely the FTC or a state
regulator will come knocking at your door. That's why it's
so important for you to be able to produce a file that
clearly shows you implemented reasonable and appropriate
data security measures in accordance with the FTC
guidelines.
The future of your business may depend on it!
----------------------------------------------------
Chip Cooper is a leading intellectual property, software,
and Internet attorney who advises software and ecommerce
businesses nationwide. Chip's easy and affordable online
contract drafting service coordinates website contracts
such as Terms of Use, Privacy Policy, Subscription,
Membership, and SaaS agreements. Visit Chip's
http://www.digicontracts.com/ site and download his FREE
report, "12 Sure-Fire Ways Your Website Can Get You Sued".
No comments:
Post a Comment